INFORMATION SYSTEM SECURITY: FDIC GUIDANCE – MITIGATING RISKS FROM SPYWARE

Spyware is the descriptive term for computer software that collects personal or confidential information about a person or organization, including passwords, credit card numbers and other identifying data, without their knowledge or informed consent and reports data back to a third party. Spyware may be employed by fraudsters to compromise a bank's systems or to conduct identity theft.

FDIC’s FIL-66-2005, dated July 22, 2005, entitled Guidance on Mitigating Risks from Spyware and found at http://www.fdic.gov/news/news/financial/2005/fil6605.html#body, advises institutions of the risks posed by spyware within an institution’s network and on customer computers and recommends actions to mitigate such risks. According to the Guidance, institutions should consider anti-spyware strategies for their enterprise information security programs and customer awareness programs. Risk factors identified by the FDIC include:

  • compromising confidentiality by allowing attackers to eavesdrop and intercept sensitive communications, e.g., customer IDs and passwords;
     
  • damaging an institution's reputation by potentially allowing unauthorized access to user accounts;
     
  • misappropriating bank resources and permitting unauthorized access to bank systems; and
     
  • increasing vulnerability to other Internet-based attacks, e.g., phishing and pharming.

In order to evaluate risks associated with spyware and strengthen enterprise information security programs, the Guidance advises institutions to:

  • consider threats from spyware as part of the risk assessment process and take appropriate steps to mitigate such risks, e.g., implement anti-spyware technologies;
     
  • enhance security and Internet-use policies to address risks associated with spyware and acceptable user behavior (e.g., prohibit Internet downloads and visits to inappropriate Web sites), including management initiatives to enforce policies and reprimand staff who fail to comply;
     
  • expand employee training to include the risks associated with spyware so that users will become cognizant of behavior they should adopt to prevent spyware on bank and on personal computers used to connect to the bank's network;
     
  • educate customers about spyware risks and encourage them to implement steps to prevent and detect spyware on their own computers or when using public computers (e.g., located in hotels, libraries or Internet cafés) to connect to online banking Web sites due to the uncertainty of what spyware is installed on public computers; and
     
  • investigate the implementation of multi-factor authentication methods that would limit the ability of identity thieves to compromise customer accounts, even when a thief has a customer's ID, password and account numbers.

Best Practices on Spyware Prevention and Detection, a supplement to the Guidance, is found at http://www.fdic.gov/news/news/financial/2005/fil6605a.html, suggests what institutions may do to prevent spyware from being downloaded to computers and mitigate the risk of fraudsters from getting online banking IDs and passwords from spyware installed on customer computers.

Compliance Handbook Search

STAY CONNECTED

Nebraska Bankers Association

233 South 13th Street, Suite 700
Lincoln, NE 68508
402-474-1555
​Digital Millennium Copyright Act Policy